[Plugins-writers] Incorrect Results from iis_auth_scheme.nasl

From: Lionel CONS (lionel.cons@private)
Date: Fri Jun 18 2004 - 02:28:31 PDT

  • Next message: Martin O'Neal: "[Plugins-writers] Non standard port enumeration..."

    Using the latest version of Nessus (from CVS), we get false positives
    from iis_auth_scheme.nasl (Find if IIS server allows BASIC and/or NTLM
    authentication). The report claims that NTLM is enabled while the
    sysadmin claims it's not.
    
    When I connect to the server by hand I get:
    
      # telnet target 1234
      Trying 1.2.3.4...
      Connected to target.
      Escape character is '^]'.
      GET / HTTP/1.1 
      Host: target
      
      HTTP/1.1 401 Unauthorized
      Content-Length: 1656
      Content-Type: text/html
      Server: Microsoft-IIS/6.0
      WWW-Authenticate: Basic realm="x.y"
      X-Powered-By: ASP.NET
      Date: Fri, 18 Jun 2004 09:14:42 GMT
    
    So I see the basic auth here, no NTLM.
    
    According to
      http://www.networknewz.com/networknewz-10-20031113AuthenticationinIIS.html
    the server should have replied for NTLM authentication with:
      HTTP/1.1 401 Access Denied 
      WWW-Authenticate: Negotiate 
      WWW-Authenticate: NTLM
    
    FWIW, when given the "Authorization: NTLM" request, the server indeed
    replied with "401 Unauthorized". So either IIS is doing something bad
    or the Nessus code needs to be improved...
    
    Does anybody understand enough all this to know whether
    iis_auth_scheme.nasl does the right thing or not?
    
    Cheers,
    __________________________________________________________
    Lionel Cons        http://cern.ch/lionel.cons
    CERN               http://www.cern.ch
    _______________________________________________
    Plugins-writers mailing list
    Plugins-writers@private
    http://mail.nessus.org/mailman/listinfo/plugins-writers
    



    This archive was generated by hypermail 2b30 : Fri Jun 18 2004 - 02:41:39 PDT